If you thought that Heartbleed was bad, brace yourselves for the server vulnerability that we’re up against now. Last week, a 20-year-old bug was discovered that affects almost all Linux and Mac OS X deployments. You heard that correctly: malware that’s not confined to PCs. The new bug is called Shellshock, and it affects Bash, the Unix shell that is used as a default shell on both Linux and Mac OS X.
For those of us who aren’t terribly techie, a Unix shell is a command-line interpreter, which is a program that allows a user to instruct the computer to perform the actions that the user wants by entering in text commands. The Bash shell is widely popular because it is free software that replaced the Bourne shell, which was one of the first Unix shells to ever be used.
What is Shellshock?
As it turns out, the Shellshock bug has been lying dormant for two decades, but upon its discovery there are waves of hackers across the globe who are eager to see how they can exploit it to their advantage. It appears as though there’s currently a race between security experts trying to patch it and hackers trying to unleash it.
There have been several patches released since the bug was discovered, but none of them have been all-encompassing. The folks at Red Hat are encouraging users to apply the incomplete patches that have been released until additional patches can be developed to fix the remaining problems.
A security researcher named Yinette reported on Twitter that she discovered the first attack in the wild that exploits the bug, which resonated quite strongly amongst other programmers in the comments on her report. This bug has been documented by the DHS National Cyber Security Division/US-CERT in the National Vulnerability Database as CVE-2014-6271.
Shellshock’s Impact on Server Vulnerability
After Yinette’s discovery, she and fellow researchers at malwaremustdie.org found that the malware included a distributed denial of service (DDoS) IRC bot and a feature that used a list of weak passwords—including ‘root,’ ‘admin,’ ‘user,’ ‘login,’ and ‘123456’—to attempt to guess passwords and logins on vulnerable servers.
Errata Security’s Robert Graham ran a scan to see the damage caused to webservers on port 80, and reported that he found about 3000 systems that were vulnerable to Shellshock. He later noted that his scan had broken and stopped capturing data, so it’s likely that there are many more vulnerable systems than he initially reported.
Port 80 is the standard internet port that webservers are hosted on. However, administrators can use any unused port that they’d like, which Graham says makes it extremely difficult to report figures on just how many vulnerable webservers there are. “Consequently, even though my light scan found only 3000 results, this thing is clearly wormable, and can easily worm past firewalls and infect lots of systems,” explained Graham, “One key question is whether Mac OS X and iPhone DHCP service is vulnerable -- once the worm gets behind a firewall and runs a hostile DHCP server, that would [be] ‘game over’ for large networks.”
Stay tuned for more on Shellshock server vulnerability, how it may affect you, and what you can do to protect yourself! As always, if you have questions about malware and how to keep your systems safe, call the experienced techs at TCI Technologies at (516) 484-5151, or ask us on Facebook!